Passage of legislation implementing the Telecommunications Sector Security Reforms (TSSR) is one step closer, with the government today announcing it has accepted all the recommendations of a related inquiry held by the Parliamentary Joint Committee on Intelligence and Security (PJCIS).
The PJCIS in June released its report on the Telecommunications and Other Legislation Amendment Bill 2016, which implements the TSSR program. The proposed legislation will create a formal obligation for Australia’s telecommunications carriers/carriage service providers (C/CSPs) to protect their networks from threats such as espionage and sabotage.
Telcos will be obliged to notify the government of any planned changes to their networks or services that may affect security. The legislation will also give the attorney-general a broad power to issue a direction requiring a “carrier, provider or intermediary to do, or to refrain from doing, a specified act or thing within the period specified in the direction”.
Among the recommendations of the PJCIS were that the government clarify the application of the legislation to company’s providing or reselling ‘over-the-top’ services or cloud computing or cloud storage services.
The inquiry’s report said that the government should also provide guidance for when a company employs but does not own telecommunications infrastructure and when a company’s infrastructure is located overseas but used to provide services to Australians.
The government said it would develop revised guidance within the 12-month implementation period of the legislation.
The government also said it would “work collaboratively with industry to ensure effective and regular information-sharing (particularly in relation to threat information)” — another recommendation of the PJCIS report.
“It will identify relevant information-sharing mechanisms prior to the conclusion of the 12 month implementation period,” said a statement issued by communications minister Senator Mitch Fifield and Attorney-General Senator George Brandis.
“Existing information sharing mechanisms may be utilised to facilitate or support effective information sharing.”
The statement said the government would work on additional guidance on the kinds of changes to infrastructure and services that would require a company to notify security agencies.
One change to the bill the government plans to make is to empower the Communications Access Co-ordinator (CAC) overseeing the TSSR to issue “class exemptions” that will spell out the kinds of changes that won’t trigger the notification obligation.
Another change to the bill will be a specific obligation to notify the CAC if a company plans to offshore so-called ‘metadata’ covered by the government’s data retention regime.
“Telecommunications networks are a fundamental component of other critical sectors such as health, finance, transport, water and power,” the statement from Fifield and Brandis said.
“With the increasing threat of interference from malicious actors, including through cyber intrusions, protecting these networks is a priority of this government.”